Access the full text.
Sign up today, get DeepDyve free for 14 days.
Jan-Willem Bullee, Lorena Montoya, W. Pieters, M. Junger, Pieter Hartel (2015)
The persuasion and security awareness experiment: reducing the success of social engineering attacksJournal of Experimental Criminology, 11
R. Hertwig, Ido Erev (2009)
The description–experience gap in risky choiceTrends in Cognitive Sciences, 13
Econometrica, 47
Stefan Fenz, Johannes Heurix, T. Neubauer, Fabian Pechstein (2014)
Current challenges in information security risk managementInf. Manag. Comput. Secur., 22
N. Weinstein, W. Klein (1996)
Unrealistic Optimism: Present and FutureJournal of Social and Clinical Psychology, 15
MIT Sloan Management Review
Hyeun-Suk Rhee, Young Ryu, Cheong-Tag Kim (2012)
Unrealistic optimism on information security managementComput. Secur., 31
Sze‐Sze Wong (2008)
Judgments about knowledge importance: The roles of social referents and network structureHuman Relations, 61
S. Furnell, A. Jusoh, Dimitris Katsabas (2006)
The challenges of understanding and using security: A survey of end-usersComput. Secur., 25
D. Straub, R. Welke (1998)
Coping With Systems Risk: Security Planning Models for Management Decision MakingMIS Q., 22
E. Yechiam, Greg Barron, Ido Erev (2005)
The Role of Personal Experience in Contributing to Different Patterns of Response to Rare Terrorist AttacksJournal of Conflict Resolution, 49
M. Whitman (2004)
In defense of the realm: understanding the threats to information securityInt. J. Inf. Manag., 24
M. Siponen, Seppo Pahnila, Adam Mahmood (2006)
Factors Influencing Protection Motivation and IS Security Policy Compliance2006 Innovations in Information Technology
E. Laleh, Y. Masoudi, F. Fathy, S. Ghorbani (2013)
Influencing Factors of Information Security Management in Small- and Medium-Sized Enterprises and Organizations2013 International Conference on Communication Systems and Network Technologies
D. Kahneman, A. Tversky (1979)
Prospect theory: An analysis of decision under risk Econometrica 47
Roger Feagin (2015)
The value of cyber security in small business
Chia-An Chao, A. Chandra (2012)
Impact of owner's knowledge of information technology (IT) on strategic alignment and IT adoption in US small firmsJournal of Small Business and Enterprise Development, 19
Petri Puhakainen, M. Siponen (2010)
Improving Employees' Compliance Through Information Systems Security Training: An Action Research StudyMIS Q., 34
M. Siponen (2006)
Six Design Theories for IS Security Policies and GuidelinesJ. Assoc. Inf. Syst., 7
Forbes
L. Valeri, Michael Knights (2000)
Affecting trust: Terrorism, internet and offensive information warfareTerrorism and Political Violence, 12
BITSIGHT (2015)
Cyber security myths versus reality: how optimism bias contributes to inaccurate perceptions of riskDimensional Research, 8
Ebru Yildirim, G. Akalp, S. Aytac, Nuran Bayram (2011)
Factors influencing information security management in small- and medium-sized enterprises: A case study from TurkeyInt. J. Inf. Manag., 31
J. Bradley (1981)
Overconfidence in ignorant expertsBulletin of the psychonomic society, 17
R. Hertwig, Greg Barron, E. Weber, Ido Erev (2004)
Decisions from Experience and the Effect of Rare Events in Risky ChoicePsychological Science, 15
I. Olkin, Sudhish Churye, W. Hoeffding, W. Madow, H. Mann (1961)
Contributions to Probability and Statistics: Essays in Honor of Harold Hotelling, 124
M. Dlamini, J. Eloff, M. Eloff (2009)
Information security: The moving targetComput. Secur., 28
Qing Hu, Tamara Dinev, Paul Hart, Donna Cooke (2012)
Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational CultureDecis. Sci., 43
A. Tsohou, Maria Karyda, S. Kokolakis, E. Kiountouzis (2015)
Managing the introduction of information security awareness programmes in organisationsEuropean Journal of Information Systems, 24
Rok Bojanc, B. Jerman-Blazic (2008)
An economic modelling approach to information security risk managementInt. J. Inf. Manag., 28
Atul Gupta, R. Hammond (2005)
Information systems security issues and decisions for small businesses: An empirical examinationInf. Manag. Comput. Security, 13
S. Furnell (2007)
Making security usable: Are things improving?Comput. Secur., 26
Sandip Patel, J. Graham, P. Ralston (2008)
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancementsInt. J. Inf. Manag., 28
L. Festinger (1954)
A Theory of Social Comparison ProcessesHuman Relations, 7
Atif Ahmad, S. Maynard (2014)
Teaching information security management: reflections and experiencesInf. Manag. Comput. Secur., 22
PurposeThis study aims to investigate information technology security practices of very small enterprises.Design/methodology/approachThe authors perform a formal information security field study using a representative sample. Using the Control Objectives for IT (COBIT) framework, the authors evaluate 67 information security controls and perform 206 related tests. The authors state six hypotheses about the findings and accept or reject those using inferential statistics. The authors explain findings using the social comparison theory and the rare events bias theory.FindingsOnly one-third of all the controls examined were designed properly and operated as expected. About half of the controls were either ill-designed or did not operate as intended. The social comparison theory and the rare events bias theory explain managers’s reliance on small experience samples which in turn leads to erroneous comprehension of their business environment, which relates to information security.Practical implicationsThis information is valuable to executive branch policy makers striving to reduce information security vulnerability on local and national levels and small business organizations providing information and advice to their members.Originality/valueInformation security surveys are usually over-optimistic and avoid self-incrimination, yielding results that are less accurate than field work. To obtain grounded facts, the authors used the field research approach to gather qualitative and quantitative data by physically visiting active organizations, interviewing managers and staff, observing processes and reviewing written materials such as policies, procedure and logs, in accordance to common practices of security audits.
Information and Computer Security – Emerald Publishing
Published: Nov 14, 2016
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.